Part 3 – Using Hashcat to Crack the Password Hash
In the final section of this series, we’ll use Hashcat on Windows(!) to get us the network password we’re looking for. Make sure you followed the instructions in Part 1 concerning how to make hashcat available on your Windows host system.
Preparing Hashcat
We are going to use the program Hashcat to do the rest of the work for us. Still in our Kali VM, we first need to convert the .cap file mentioned above into a file that Hashcat understands. For this, we’ll use a Hashcat binary specifically for that purpose. Here is the command I used:
sudo /usr/share/hashcat-utils/cap2hccapx.bin TPLink1-01.cap wpa2.hccapxThe binary we need is called cap2hccapx.bin. In my Kali VM, that’s located at /usr/share/hashcat-utils, but yours may be in a different location. Check to see if it’s in the usual address:
ls -a /usr/share/hashcat-utilsIf you get an error or nothing is in that directory, you will need to search the file system for that .bin. If you happen to be following along on Ubuntu, for example, this utility is in a different location. You can always issue which hashcat to let you know if the main program is installed and if it can be found in /bin or /sbin.
The rest of the command above is simply the .cap file to be converted, and the name of the .hccapx file we’ve chosen. After running, you should see this (the number of handshakes will vary):
Running Hashcat in Windows
You will need to move the file you just created (mine is named “wpa2.hccapx”) to your Hashcat directory in Windows. If you’re using VMWare Player, you can just drag and drop the file from the file manager in your Kali VM over to Windows. If this doesn’t work for some reason, or you’re using VirtualBox without the guest additions installed, you will need to find another way to move that file – perhaps email to yourself using Firefox in Kali.
I suggest opening your Windows Hashcat directory in Powershell (just right click and select “Open in Terminal”), but you can also use Command Prompt. Below, you can see the contents of the Hashcat directory I extracted earlier and the new file I just moved in from my Kali VM.
Let’s check and make sure that Hashcat recognizes this Windows PC has a discrete GPU:
.\hashcat.exe -IThe result does indeed show 2 available GPUs, one is the onboard Intel graphics and the other is my NVIDIA Quadro P600 card:
You might be wondering why we don’t use Hashcat in our Kali VM since it’s already installed there. Well, we could, but Kali doesn’t detect the NVIDIA card on my system and will only run the attack with the ultra-slow onboard graphics card. Frankly, even if Kali on your system DOES properly identify your discrete graphics hardware, these cards almost always run faster and more efficiently in Windows anyway, so I would still recommend actually performing the attack from Windows.
We’ll now run the attack using the code below:
.\hashcat.exe -m 2500 --deprecated-check-disabled -a 3 wpa2.hccapx ?d?d?d?d?d?d?d?dA few notes on that command:
- -m 2500 This is the type of attack that we want Hashcat to run. One note: mode 2500 is now officially deprecated in favor of mode 22000, which combines handshake types into a single file and saves GPU cycles. Even though mode 2500 is deprecated, you can still use it. See this discussion for information on the new procedure.
- –deprecated-check-disabled This allows mode 2500 to operate without errors.
- -a 3 This tells Hashcat to perform a brute force attack.
- ?d?d… This tells Hashcat how many characters to expect in the password being cracked.
Once Hashcat begins the attack, you can check the status at anytime by pressing s on your keyboard.
As you can see below, I checked the status of the command 40 seconds after it began and about 49 minutes before it was expected to finish (it didn’t take that long).
Depending how powerful your PC’s GPU is, this will take a while. Go grab a soda, pet the cat, etc. When the attack is complete, you should see this:
Above, Hashcat has listed the BSSID and ESSID of the target rout, along with its 8-digit numeric password!
That brings us to the end of this tutorial series! Remember to use your powers for good only, and please feel free to leave any comments or questions below. Thanks for reading!